fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3):
- Replace hardcoded admin credentials with secure auto-generation (seed.py)
- Enforce SECRET_KEY configuration, fail in production if missing (config.py)
- Add Zip Slip and Zip Bomb protection to all ZIP import services

High/Medium (4-9):
- Add 50MB file size limit and extension whitelist to evidence uploads
- Configure CORS origins via environment variable instead of hardcoded
- Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend)
- Add rate limiting (5/min) on login endpoint via slowapi
- Replace generic dict payloads with Pydantic schemas (mass assignment)

Medium (10-17):
- Check is_active on login to prevent disabled users from authenticating
- Sanitize exception messages in API responses (system, data_sources)
- Escape LIKE wildcards in all ilike search filters across 8 routers
- Run Docker container as non-root user (appuser)
- Make MINIO_SECURE configurable via environment variable
- Add password complexity policy (12+ chars, upper/lower/digit/special)
- Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min
- Replace xml.etree with defusedxml to prevent Billion Laughs attacks

Low (18-20):
- Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.)
- Disable Swagger UI/ReDoc/OpenAPI in production
- Restrict /health endpoint to internal networks via Nginx ACL

Also: rewrite install.sh as interactive wizard for guided deployment,
fix test-from-template validation error (technique_id UUID vs MITRE ID)

frontend/src/api/auth.ts

@@ -1,25 +1,32 @@
 import client from "./client";
 import type { User } from "../types/models";
 
-interface TokenResponse {
-  access_token: string;
-  token_type: string;
-}
-
-/** Authenticate and return the access token. */
+/**
+ * Authenticate the user.
+ *
+ * The backend sets an HttpOnly cookie with the JWT — no token is stored
+ * in JavaScript memory or localStorage.
+ */
 export async function login(
   username: string,
   password: string,
-): Promise<string> {
+): Promise<void> {
   const params = new URLSearchParams();
   params.append("username", username);
   params.append("password", password);
 
-  const { data } = await client.post<TokenResponse>("/auth/login", params, {
+  await client.post("/auth/login", params, {
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
   });
+}
 
-  return data.access_token;
+/** Clear the authentication cookie on the server. */
+export async function logout(): Promise<void> {
+  try {
+    await client.post("/auth/logout");
+  } catch {
+    // Best-effort — the cookie will expire anyway
+  }
 }
 
 /** Fetch the currently authenticated user profile. */

frontend/src/api/client.ts

@@ -5,15 +5,8 @@ const API_BASE_URL = import.meta.env.VITE_API_URL || "/api/v1";
 const client = axios.create({
   baseURL: API_BASE_URL,
   headers: { "Content-Type": "application/json" },
-});
-
-// Attach the JWT token on every request (if present)
-client.interceptors.request.use((config) => {
-  const token = localStorage.getItem("token");
-  if (token) {
-    config.headers.Authorization = `Bearer ${token}`;
-  }
-  return config;
+  // Send the HttpOnly cookie automatically on every request
+  withCredentials: true,
 });
 
 // Response interceptor for error handling
@@ -22,9 +15,8 @@ client.interceptors.response.use(
   (error: AxiosError<{ detail?: string; code?: string }>) => {
     const status = error.response?.status;
     
-    // On 401, clear token and redirect to login
+    // On 401, redirect to login (cookie is managed by the browser)
     if (status === 401) {
-      localStorage.removeItem("token");
       // Only redirect if not already on login page
       if (window.location.pathname !== "/login") {
         window.location.href = "/login";